The report highlighted several areas that healthcare providers encounter on a frequent basis where risks could arise internally, such as the potential for privilege abuse. Personnel require access to specific PHI to perform their duties but providing such access puts them in position to easily use or access the PHI for other, malicious purposes. This can be especially problematic with disgruntled or recently fired employees. The three steps a healthcare provider should take to protect itself are: (1) Identify; (2) Address; and (3) Audit.

Identification requires healthcare providers to identify all of the vulnerabilities to PHI; not only those risks from the outside, but just as important, those risks from within the organization. Once a healthcare provider identifies its vulnerabilities, steps should be taken to address each by implementing the appropriate safeguards necessary to protect the PHI, both in terms of technology and internal policies and procedures. Many may recognize this as the first step of any HIPAA compliance plan, which is the Risk Analysis and Management required under the Security Rule. Finally, healthcare providers must continue to be vigilant against the ever-present threat to extremely valuable data through regular audits of the systems and policies in place to find new vulnerabilities or current vulnerabilities being exploited.

Healthcare providers would be wise to conduct an updated (or first) risk analysis and understand where they stand in the fight against threats to PHI.